a6ca65201a
This is a second attempt at securing the get command output endpoint which could have data such as logs which could potentially have sensitive details and information after the agent has completed one or more actions. Now, if a token is receieved, the agent locks out the command results endpoint, and requires all future calls to include it. This allows for the agent to be backwards compatible. Special thanks go to cid for his first attempt at this, which I took for the basis of some of the testing required. Closes-Bug: #2086866 Co-Authored-By: cid@gr-oss.io Change-Id: Ia39a3894ef5efaffd7e1d22cc6244059a32175ff
12 lines
559 B
YAML
12 lines
559 B
YAML
---
|
|
fixes:
|
|
- |
|
|
Fixes a potential security issue where a third party may be able to
|
|
retrieve potentially sensitive data in command result output from
|
|
the agent. If a request comes in with an ``agent_token`` to the
|
|
command results endpoint, the agent will now require all future
|
|
calls to leverage the token to retrieve results and validate
|
|
that token's validity. This effectively eliminates the possibility
|
|
of a malicious entity with access to the agent's API endpoint from
|
|
capturing the command results from agent operations.
|